INDUSTRY STANDARDS

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It provides a framework for specifying, implementing, and evaluating the security features and capabilities of IT products. The Common Criteria ensures that the process of specification, implementation, and evaluation of a product's security features is rigorous and standardized. 

Cryptomathic Signer relies on Common Criteria Evaluation Assurance Level (EAL) 4 augmented with ALC (Assurance Level Components) to perform the Qualified Signature Creation Device (QSCD) certification.

This reliance on Common Criteria EAL 4 augmented with ALC ensures that Cryptomathic Signer meets stringent security requirements, providing a high level of confidence in its ability to create qualified electronic signatures. This certification is crucial for our product as it demonstrates compliance with regulatory standards and instills trust in our customers regarding the security and reliability of our solution. 

www.commoncriteriaportal.org

EMVCo manages, maintains and enhances the EMV® Integrated Circuit Card Specifications for chip-based payment cards and acceptance devices, including point of sale (POS) terminals and ATMs. EMVCo also establishes and administers testing and approval processes to evaluate compliance with the EMV Specifications. A primary goal of EMVCo and the EMV Specifications is to help facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices. This objective extends to new types of payment devices as well, including contactless payment and mobile payment. 

Cryptomathic offers end-to-end support for EMV card issuance—including data preparation, personalization, and secure key management. 

Cryptomathic’s Obsidian Issuance ensures secure data generation and HSM-backed key protection to meet EMV requirements and support major payment schemes. With deep EMV project expertise and services for migration, issuance, and cryptographic key management, Cryptomathic enables organizations to deploy secure, standards-based payment systems confidently. 

www.emvco.com 

ETSI, the European Telecommunications Standards Institute, produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and Internet technologies. ETSI standards enable the technologies on which business and society rely.For example, the standards for GSM™, DECT™, Smart Cards and electronic signatures have helped to revolutionize modern life all over the world. 

www.ETSI.ORG

GlobalPlatform is an independent, not-for-profit organization driven by over 50 cross-industry member organizations. GlobalPlatform is the leading international association focused on establishing and maintaining interoperable specifications for single and multi-application smart cards, acceptance devices and systems infrastructure that deliver benefits to issuers, service providers and technology suppliers

www.GLOBALPLATFORM.ORG

The Microsoft Partner Network is designed to equip organizations that deliver products and services based on the Microsoft platform with the training, resources and support they need to provide their customers a superior experience and outcomes.

Cryptomathic has achieved a Gold Independent Software Vendor (ISV) / Software Competency in the Microsoft Partner Network, demonstrating its ability to meet Microsoft customers' evolving needs in today's dynamic business environment.

The Microsoft Gold Competency signifies to the market that a company has demonstrated the highest level of skill and achievement within a given technology specialism. Each competency has a unique set of requirements and benefits, formulated to accurately represent the specific skills and services that partners bring to the industry

PARTNER.MICROSOFT.COM

NIST (The National Institute of Standards and Technology) is a non-regulatory federal agency within the U.S. Department of Commerce which is heavily involved in standardization of cryptographic solutions. The NIST Federal Information Processing Standard - FIPS - is one of many NIST initiatives relevant to secure solutions. 

For the use of HSMs (Hardware Security Modules) FIPS 140 has prevailed as the predominant standard for security evaluation.  

Cryptomathic uses SIPS 140-2 Level 3 or 4 certified HSMs for key generation and storage, and follow best practices for cryptographic key management and lifecycle. These HSMs comply with many major industry standards, such as those set out by card payments schemes, for example, Visa, as well as governments and military. 

www.itl.nist.gov/fipspubs 

OATH is an industry-wide collaboration to develop an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication.

OATH is comprised of industry leaders working with other standards groups toward the propagation of ubiquitous strong authentication, enabling eBusiness and giving customers the confidence to conduct secure commerce and communication online.

An OATH ecosystem consists of devices, chip sets, platforms, applications, integrators, and customers, all working together in a strongly authenticated, highly secure environment.

www.OATH.COM

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society.

OASIS promotes industry consensus and produces worldwide standards for security, Cloud computing, SOA, Web services, the Smart Grid, electronic publishing, emergency management, and other areas.

OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology.

www.OAsis-open.COM

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. At its core is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. 

Cryptomathic's Obsidian leverages PCI best-practices and integrates with cloud-based PCI-certified HSMs to ensure compliance, while safeguarding sensitive data. Its PIN capture and display processes meet the highest security standards required by PCI. 

Cryptomathic's Mobile Application Security Core (MASC) focuses on application-level security, helping institutions meet PCI DSS and PSD2/3 requirements by enforcing strong cryptographic controls. 

Cryotpmathic's Crypto Key Management System (CKMS) enabled PCI DSS compliance by securely managing encryption keys with strong generation, rotation, HSM-backed storage, and strict access controls. It also provides tamper-evident audit trails and centralized encryption policy enforcement to protect cardholder data in transit and at rest. 

WWW.PCISECURITYSTANDARDS.ORG 

PKCS, which stands for Public Key Cryptography Standard, is one of the most important standard frameworks in modern cryptography. Since work on the standard was started in the 1980s there have been many standards published under the framework.  

The most notable PCKS standard that Cryptomathic works with is PKCS#11 -- used for integration software applications with Hardware Security Modules (HSMs). 

Cryptomathic solutions support and adhere to many of the other PKCS standards as well. 

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

The Alliance invests heavily in education on the appropriate uses of technology for identification, payment and other applications and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought.

The Alliance is the single industry voice for smart card technology, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America

www.smartcardalliance.org

The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices.

TCG specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights.

The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from compromise due to external software attack and physical theft

www.TRUSTEDCOMPUTINGGROUP.ORG

The Cloud Signature Consortium (CSC) is a global group of industry, government, and academic organizations committed to driving standardization of highly secure and compliant digital signatures in the cloud. Inspired by eIDAS, CSC helps ease solution interoperability, streamlines compliance with e-signature regulations, and open the market for uniform adoption of cloud-based digital signatures around the world.  

Cryptomathic is an executive member of CSC, actively shaping the standard to promote global interoperability in digital signing and sealing. Offering fully CSC-compliant digital signing and sealing, based on the CSC standards, Cryptomathic’s Signer ensures easy integration into any customer flow, mobile wallet or business system and supports seamless platform integration, replacement, and expansion

www.cloudsignatureconsortium.org 

The European Union Agency for Cybersecurity (ENISA) publishes the Smartphone Secure Development Guidelines, offering 152 recommended security measures across 13 domains to address the full threat landscape of mobile apps. These guidelines cover secure data handling, authentication, secure code integration, in-transit protection, device integrity, and privacy safeguards, serving as a practical resource for developers to design and test secure mobile applications. 

Cryptomathic’s Mobile Application Security Core (MASC) is designed to help organizations meet ENISA’s recommendations by supporting the implementation of 44 out of 47 relevant app-level security measures—achieving 94% coverage. Our mobile application security suite delivers a robust framework with features like runtime application self-protection, cryptographic toolbox, application hardening, secure connectivity and storage, and comprehensive network, device, and API protection to deliver end-to-end security. 

WWW.ENISA.EUROPA.EU 

The Open Web Application Security Project (OWASP) is a globally recognized nonprofit dedicated to improving software security. Its Mobile Application Security Verification Standard (MASVS) defines structured security requirements for mobile apps, supporting secure design, testing, and defense against threats like tampering and reverse engineering. 

Cryptomathic’s Mobile Application Security Core (MASC) helps provides a robust security framework implementation that aligns closely with OWASP. It delivers up to 94% compliance in a single solution, with core features including runtime application self-protection, a cryptographic toolbox, application hardening, secure connectivity and storage, and fortified network, device, and API protection for true end-to-end security. 

WWW.OWASP.ORG

The eIDAS Regulation is the EU framework that governs electronic identification, authentication, and trust services to enable secure and seamless digital transactions across member states. eIDAS 2 enhances this with the introduction of the European Digital Identity Wallet (EUDI Wallet) and stronger requirements for Qualified Electronic Signatures (QES) and Qualified Trust Service Providers (QTSPs) to ensure trust, security, and legal validity in cross-border digital interactions. 

Cryptomathic’s Signer is designed to meet the stringent technical and legal requirements of eIDAS 2. Cryptomathic Signer includes our own certified Qualified Signature Creation Device (QSCD), certified under eIDAS, ensuring that all signature operations meet the highest legal and technical standards. Signer is a product suite that enables qualified trust service providers, governments, system integrators, and financial institutions to create a highly scalable and performant qualified remote electronic signature or sealing service — ensuring full legal compliance and non-repudiation. 

Cryptomathic’s Mobile Application Security Core (MASC) is our in-app mobile security solution used to protect EUDI wallets against reverse engineering, tampering, and credential theft. MASC provides application-layer cryptographic controls, secure key storage, and anti-cloning protections, helping providers meet eIDAS 2 requirements for wallet security, user trust, and secure signature creation. 

The Digital Operational Resilience Act (DORA) is the EU’s regulatory framework designed to ensure the cyber resilience of financial institutions and their ICT service providers. It establishes strict requirements for digital risk management, incident response, and operational continuity, with a clear emphasis on the protection and governance of cryptographic systems. 

Cryptomathic’s Crystal Key Management System (CKMS) plays a central role in helping financial institutions meet DORA’s explicit mandates around cryptographic controls. CrystalKey360 provides centralized, policy-based management of cryptographic keys across the entire lifecycle — from secure generation and distribution to rotation, deactivation, and destruction. Keys are stored and operated within certified hardware security modules (HSMs), ensuring confidentiality, integrity, and resistance to tampering. 

By aligning with DORA’s core principles of resilience, traceability, and accountability, CrystalKey360 strengthens the digital operational posture of regulated entities and ensures that cryptographic assets are protected under the most demanding regulatory expectations. 

www.digital-operational-resilience-act.com

ZertES is the Swiss legal and technical framework for electronic signatures, setting out the requirements for Qualified Electronic Signatures (QES). While aligned with the principles of the EU's eIDAS Regulation, ZerTES, SG ETA and other regional compliance grade signing schemes defines its own criteria for Signature Creation Devices and identity assurance. 

Cryptomathic Signer is a comprehensive product suite designed to support qualified remote electronic signatures and seals at scale. It enables qualified trust service providers, governments, system integrators, and financial institutions to deliver high-performance, legally compliant signature services. Signer supports the management of multiple signature policies across different regulatory regimes for the same solution, offering unmatched flexibility. It includes Cryptomathic’s certified Qualified Signature Creation Device (QSCD), to ensure all signature operations meet the highest legal and technical standards—guaranteeing both compliance and non-repudiation.